Home / Palo Alto Networks / PCNSE

Question list

List of questions

Question 1

(0)

DRAG DROP Match each type of DoS attack to an example of that type of attack.

Question 2

(0)

DRAG DROP Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order.

Question 3

(0)

When using certificate authentication for firewall administration, which method is used for authorization?

Question 4

(0)

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

Question 5

(0)

Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

Question 6

(0)

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could

Question 7

(0)

A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know

Question 8

(0)

Which statement regarding HA timer settings is true?

Question 9

(0)

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )

Question 10

(0)

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

Question 297 - PCNSE discussion

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?

PAN-OS versions

Proxy-IDs

IKE Crypto Profile

Security policy

Suggested answer: B

Explanation:

Proxy-ID is a parameter that identifies the traffic that needs to be encrypted and tunneled in an IPSec VPN. Proxy-ID consists of the local and remote IP addresses, protocols, and ports. Proxy-ID is used when the peer is using a policy-based VPN configuration, which allows specifying the Proxy-ID settings manually. If the Proxy-ID settings do not match on both peers, the phase two of the VPN will not establish a connection. Therefore, the correct answer is B.

The other options are not parts of the configuration that the engineer should verify for phase two of a VPN:

PAN-OS versions: This option is not relevant for phase two of a VPN. PAN-OS versions are the software versions that run on Palo Alto Networks firewalls. They do not affect the VPN connection establishment, as long as they support the same VPN features and protocols2.

IKE Crypto Profile: This option is not relevant for phase two of a VPN. IKE Crypto Profile is a parameter that defines the encryption and authentication algorithms for IKE negotiation. IKE negotiation is part of phase one of the VPN, not phase two3.

Security policy: This option is not relevant for phase two of a VPN. Security policy is a rule that allows or denies traffic based on various criteria, such as source, destination, application, user, and service. Security policy does not affect the VPN connection establishment, but only the traffic that passes through the VPN tunnel4.

Reference: 1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/site-to-sitevpn/set-up-a-site-to-site-vpn-between-two-firewalls/policy-based-vpn 2:

https://docs.paloaltonetworks.com/pan-os.html 3:

https://docs.paloaltonetworks.com/pan-os/91/pan-os-admin/vpn/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/methods-ofsecuring-ipsec-vpn-tunnels-ike-phase-2 4:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-osadmin/policy/security-policy.html

Show Answer

asked 23/09/2024

Wissem M'RAD

37 questions

Your answer: A B C D

0 comments

Sorted by